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Claims 



11. A network media access controller providing a centralized control point for 

2 managing secure data storage in a network-attached data storage subsystem, 

3 said network media access controller comprising: 

4 a) a first network interface coupleable through a first network 

5 connection to a network-attached data storage subsystem including a storage 

6 device, wherein said network-attached data storage subsystem is responsive to a 

7 data storage command to store first data to said storage device; 

8 b) a second network interface coupleable through a second network 

9 connection to a client computer system, wherein said client computer system 

1 0 selectively provides said data storage command with respect to second data; and 

11 c) a network data processor coupled to said first network interface 

1 2 to provide said data storage command and first data and to said second network 

13 interface to receive said data storage command and second data, said network 
^ 14 data processor including an encryptor coupled to selectively encrypt said second 

1 5 data to provide said first data based on an encryption key corresponding to said 

1 6 storage device. 

1 2. The network media access controller of Claim 1 wherein said encryption 

2 key is determined by said network data processor to correspond to said storage 

3 device. 



1 3. The network media access controller of Claim 2 wherein said storage 

2 device is a logical storage unit within said network-attached data storage 

3 subsystem. 
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1 4. The network media access controller of Claim 3 wherein said network data 

2 processor Includes a data table storing a plurality of encryption keys, including 

3 said encryption key, correlated against a plurality of logical storage unit 

4 identifiers, including an identifier of said logical storage unit. 

1 5. The network media access controller of Claim 4 wherein said data storage 

2 command includes an identification of said logical storage unit. 

O 1 6. The network media access controller of Claim 5 wherein said network data 



m 



2 processor includes a map table storing initiator logical storage unit identifiers and 

3 target logical storage unit identifiers, wherein said network access controller maps 

4 said identification provided by said data storage command through said table to 

5 select a target logical storage identifier corresponding to said logical storage unit. 

1 7. A network storage access controller comprising: 

2 a) a first network interface coupleable to an initiator network accessible by 

3 a plurality of network clients to exchange first network data, wherein said first 

4 network data contains unencrypted media-level storage data; 

5 b) a second network interface coupleable to a target network through 

6 which a plurality of network storage volumes are accessible to exchange second 

7 network data, wherein said second network data contains encrypted media-level 

8 storage data; and 

9 c) a controller coupled between said first and second network interfaces 
10 operative to convert between said first and second network data, said controller 
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including a crypto processor to encrypt and decrypt media-level storage data 
contained in said first and second network data. 



1 8. The network storage access controller of Claim 7 wherein said controller 

2 includes o plurality of crypto keys having a predetermined association with said 

3 plurality of network storage volumes and wherein said controller is operative to 

4 selectively apply said plurality of crypto keys to convert between said first and 

5 second network data, 

1 9. The network storage access controller of Claim 8 wherein said first and 

2 second network data include predetermined network data packets that 

3 encapsulate media-level storage data, wherein said controller is operative to 

4 process encapsulated media-level storage data through said crypto processor 

5 selectively associated with a predetermined one of said crypto keys. 

1 10. The network storage access controller of Claim 9 wherein said 

2 predetermined network data packets encapsulate SCSI protocol data. 

1 IL The network storage access controller of Claim 10 wherein said 

2 predetermined network data packets conform to the iSCSI protocol. 

1 12. A network storage controller supporting client access to network attached 

2 data storage, said network controller being coupleable in a communications 

3 network between a plurality of client computers and a plurality of data stores, 

4 wherein said network storage controller provides for the transfer of network data 

5 between said client computers and said data stores, wherein said network data 
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6 includes media-level data and wherein said network access controller provides for 
the selective encryption and decryption of said media-level data transferred with 



7 

8 respect to said plurality of data stores. 

1 13. The network storage controller of Claim 1 2 wherein the transfer of network 

2 data between said client computers and said data stores is client directed subject 

3 to an access management policy autonomously implemented by said network 

4 storage controller. 

1 14. The network storage controller of Claim 13 wherein said access 

2 management policy defines a correspondence between said data stores and a 

3 plurality of encryption keys stored by said network storage controller. 



1 15. The network storage controller of Claim 14 wherein said access 

2 management policy defines a correspondence of data access permissions 

3 between users and said data stores. 



1 1 6. The network storage controller of Claim 1 2 wherein said network storage 

2 controller provides for the proxy transfer of network data between said client 

3 computers and said data stores. 

1 17. A network media access controller configured as a network proxy portal to 

2 provide storage security for clients with respect to network attached storage 

3 devices, said network media access controller comprising a network data 

4 processor coupleable between an initiator network and a target network to 

5 provide for the proxy transfer of predetermined network protocol data packets 
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6 containing media-level data between said initiator and target networks, said 

7 network data processor being operative to selectively process said predetermined 

8 network protocol data packets to encrypt and decrypt media-level data. 

1 18. The network media access controller of Claim 17 wherein said 

2 predetermined network protocol data packets conform to the iSCSI protocol and 

3 wherein said media-level data Is SCSI media data. 



119. The network media access controller of Claim 17 wherein said network 
p 2 data processor includes a plurality of encryption keys and wherein network data 



3 processor selectively processes said predetermined network protocol data packets 

4 based on a predefined correspondence between said plurality of encryption keys 
# 5 and a plurality of target storage resources accessible via said target network. 



1 20. The network media access controller of Claim 1 9 wherein said predefined 

2 correspondence supports a proxy mapping of a plurality of virtual target storage 

3 devices accessible via said initiator network by a plurality of client computer 

4 systems to said plurality of target storage resources accessible via said target 

5 network. 



1 21 . The network media access controller of Claim 20 wherein said predefined 

2 correspondence is associated with said plurality of virtual target storage devices. 

1 22. The network media access controller of Claim 21 wherein said network 

2 data processor implements a data packet filter to selectively provide for the proxy 

3 transfer of predetermined network protocol data packets. 
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1 23. The network media access controller of Claim 22 wherein said 

2 predetermined network protocol data packets conform to the iSCSI protocol and 

3 wherein said media-level data is SCSI media data. 



1 24. A method of providing secure storage of data over a network connection, 

2 said method comprising the steps of: 

3 a) first processing network data packets, transferred over a network 

4 between o client computer system and a storage system, to identify predetermined 
13 5 network data packets containing media-level data; and 

f ^ 6 b) second processing said predetermined network data packets to encrypt 

^ 7 the media-level data contained in said predetermined network data packets being 

Of 

8 transferred to said storage system and to decrypt the media-level data contained 

9 in said predetermined network data packets being transferred to said client 
1 0 computer system. 



HI 



1 25. The method of Claim 24 wherein said storage system includes a plurality 

2 of storage resources and wherein said step of first processing determines a target 

3 storage resource from a predetermined network data packet, said method further 

4 comprising the step of selecting an encryption key corresponding to said target 

5 storage resource for use in connection with said second processing step with 

6 respect to said predetermined network data packet. 

1 26. The method of Claim 25 further comprising the step of selectively filtering 

2 network data packets permitted to be transferred over said network between said 

3 client computer system and said storage system. 
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1 27. The method of Claim 26 further comprising the steps of: 

2 a) providing a plurality of virtual storage resources as target storage 

3 resources for said client computer system; and 

4 b) providing a mapping of said plurality of virtual storage resources to said 

5 plurality of storage resources wherein said mapping is used in said first processing 

6 step to transfer network data packets over said network between said client 

7 computer system and said storage system, 

1 28. A method of managing the secure storage of data in network attached 

2 storage systems, said method comprising the steps of: 

3 a) establishing a network storage portal through which network storage 

4 data packets are passed between a client computer system and a network data 

5 store; and 

6 b) crypto processing, on passage through said network storage portal, 

7 media-level data contained within network storage data packets to selectively 

8 encrypt, at said network storage portal, media-level data passed to said network 

9 data store and selectively decrypt, at said network storage portal, media-level data 
10 passed from said network data store. 

1 29* The method of Claim 28 wherein said network data store includes a 

2 plurality of network data store resources, said method further comprising the step 

3 of associating, at said network storage portal, media-level data encryption keys 

4 with said network data store resources to control the encryption and decryption 

5 of media-level data passed to and from said plurality of network data store 

6 resources. 
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1 30. The method of Claim 29 further comprising the step of providing, at said 

2 network storage portal, for the management of a defined key correspondence 

3 between said plurality of media-level data encryption keys and said plurality of 

4 network data store resources. 

1 31 . The method of Claim 30 further comprising the steps of: 

2 a) presenting, at said network storage portal, a plurality of virtual network 

3 data store resources to said client computer system as targets for network storage 

4 data packets; and 

5 b) mapping, at said network storage portal, said plurality of virtual network 

6 data store resources to said plurality of network data store resources, 

7 wherein said step of providing further provides for the management of a 

8 defined map correspondence between said plurality of virtual network data store 



9 resources to said plurality of network data store resources. 



1 32. The method of Claim 31 further comprising the step of filtering, at said 

2 network storage portal, the network storage data packets passed between said 

3 client computer system and said network data store, wherein said step of 

4 providing further provides for the management of a filter rule set used in said 

5 filtering step to determine which network storage data packets are passed 

6 between said client computer system and said network data store. 

1 33. The method of Claim 32 wherein said step of providing supports access by 

2 a management server to establish said defined key correspondence, said defined 

3 map, and said filter rule set. 
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1 34. A network media access controller comprising: 

2 a) an initiator network interface coupleable through a first network to a 

3 client initiator, 

4 b) a target network interface coupleable through a second network to a 

5 storage target; and 

6 c) a network data processor coupled between said initiator and target 

7 network interfaces, wherein said client initiator and storage target communicate 

8 storage data over said first and second networks using a data transfer protocol 

9 encapsulated by a network communications protocol, wherein said data transfer 
1 0 protocol provides for the storage and retrieval of media-level data, wherein said 

1^1 1 1 network data processor is operative to transfer network data packets conforming 

I'JI 12 to said network communications protocol between said initiator and target 

■'^ 13 network interfaces, said network data processor being further operative to 

i? 

14 selectively encrypt and decrypt media-level data contained within network data 

15 packets transferred between said initiator and target network interfaces. 



1 35, The network media access controller of Claim 34 wherein said data 

2 transfer protocol is the SCSI protocol. 

1 36. The network media access controller of Claim 35 wherein said network 

2 communications protocol is the iSCSI protocol. 
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